Archive for July, 2018

In this example we’ll configure port forwarding for web site so that call to IP:8080 will be redirected to port 80 and forwarder to Windows Web Server behind Fortigate Firewall

 

3.PNG

 

I created custom VPC,created Internet Gateway (info how to create custom VPC can be found here)

Creating Fortigate “public” route

Create Route table for Fortigate “public” network, route all traffic to Internet Gateway-associate “public” subnet (192.168.10.0)

0.PNG

 

0-1.PNG

 

Creating route for “private” network

Router all traffic from “private” network (192.168.30.0) to “internal” Fortigate interface

 

0-2.PNG

 

0-3.PNG

 

Disable source-destination check on both Fortigate interfaces.

0-4.png

 

Click on interface to locate interface ID

0-5

In AWS instance go to Network Interfaces ,select interface from Action menu select Change Source/Dest/Check

 

0-6

Select Disabled

 

0-7.PNG

 

Now login to Fortigate-Policy & Objects-Virtual IPs-create new-Virtual IP

0-8.png

Mapped IP address is address of Windows Web Server

 

0.PNG

 

Now create Incoming policy

Incoming interface:External interface

Outgoing Interface:Internal interface

Destination:Virtual IP

 

0-1

 

2.PNG

 

1.PNG

Advertisements

Fortigate Explicit Web Proxy

Posted: July 29, 2018 in fortigate

System-Feature Visibility-Turn on Explicit proxy

 

2.png

 

System-Settings-Inspection Mode-Proxy

1.PNG

Go to internal interface-enable Explicit Web Proxy

3

 

If you want to change default proxy port:

Network-Explicit Proxy-Under HTTP port change port number

 

4.PNG

Policy & Objects-Proxy Policy

Type:Explicit web

Outgoing interface:Internet facing interface

Source:Internal addresses (LAN in my case)

Destination:All

Service:webproxy

 

5.PNG

Set proxy address in your browser

6.PNG

Now you should be able browsing the internet

 

In previous article we created IPSEC VPN (with shared key), now we’ll create SSL-VPN.

 

SSL VPN stands for Secure Sockets Layer virtual private network,  It is called as web based VPN or WebVPN. SSL VPN provides SSL VPN remote-access connectivity from almost any Internet-enabled location using only a web browser that natively supports SSL encryption.

Below is comparasion between IPSEC and SSL

0.PNG

 

Create Local network definition:Addresses-Create New-Address

 

1.png

 

2.PNG

There is predefined VPN range, i decided to use it

 

3.PNG

Configuring Portal

Under VPN click SSL-VPN settings-change default port 443 (i chose 444)

 

0.PNG

Click SSL-VPN Portals under VPN-under tunnel mode select ‘VPN Pool” (optionally)

5.PNG

Create policy for accessing from the outside

In this policy members of VPN users can access local network.

VPN_Users group is created in previous post

 

6-1.PNG

 

Testing access

10-1.PNG

 

Setting FortiClient

select SSL-VPN, enter Fortigate Public IP,check Customize port and type port used for portal access

14.PNG

 

 

In last post we integrated Active directory with Fortigate now we’ll map Security Group for VPN users with Fortigate groups.

User & Device-User Groups-Create New

 

1.PNG

Type Firewall-Add

 

2

Click on OU with VPN group-right click group-Add Selected

 

3.PNG

 

4.PNG

Now from VPN menu click VPN Creation Wizard

 

5.PNG

Select Fortigate “WAN” interface (outside in my case),define Pre-Shared key and select VPN group we created in previous step

 

6.PNG

Define local interface-local addresses,VPN subnet and optionally DNS server

 

7.PNG

 

8.PNG

Now create IPV4 Policy

Go to Policy & Objects > IPv4 Policy

Incoming interface is created by wizard,select source and destination

 

9.PNG

Download and install Forti Client

Once installed click Configure VPN

 

10.PNG

Select IPSec VPN specify Fortigate WAN interface Address and Pre-shared key defined in previous steps

 

11.PNG

 

12.PNG

 

 

I created 2 Organizational Units:

one for Service account-fortigate_LDAP,for searching Active Directory (service)

and one for AD group where all users who need to login to Fortigate will be put (fortigate)

 

0.png

 

User & Devices-LDAP Servers-Create New

 

1.png

Type Domain Controller IP,domain name Distinguished Name,service account username/password-Bind Type:regular

 

2.PNG

 

Now map AD group to Fortigate group:

User Groups-Create New

 

5.PNG

Click Add

 

1

 

Click on OU with our group-select it-righ click-Add Selected

 

10.PNG

 

11.PNG

Now Associate this Fortigate group to Administrator profile:

System-Administrators-Create New-Administrator

 

12.PNG

Select Match all users in remote server group-select profile and from drop-down select Fortigate user group we created earlier

1.png

 

In Admin Profiles section we can create new profiles

1.png

Now you should be able to login with Active Directory user credentials

 

Fortinet Fortigate is Firewall appliance, available as Virtual Machine in Azure and Amazon.In this example we’ll be deploying Fortigate to Amazon.

In Launch Instance click AWS Marketplace and choose product

 

3.PNG

and instance type

4

Select VPC, if you try adding two Interfaces, you’ll get “We can no longer assign a public IP to your instance”, so assign only one network interface

5.PNG

I have VPC with 2 subnets:192.168.10.0/24 and 192.168.20.0/24. i assigned interface 192.168.10.0 which will be “external”.

I created secondary interface and assigned it to 192.168.20.0 subnet.This one will be internal.

Creating second interface

In EC2 menu click Network Interfaces-Create Network Interface

 

6.PNG

 

Select subnet and Security group

7.PNG

 

Attaching interface

Click on your Fortigate instance-Actions-Networking-Attach Network Interface

 

8.png

 

9

After instance is started, we can connect to it.Use internal address, not a public one, otherwise, when changing interface role, you’ll lose connection to Fortigate.

Default username is admin, password is instance ID

Click Network-interfaces-right-click interface-Edit

11.PNG

Set alias, and change role

13.PNG

 

14.PNG

If You need to get members of particular Azure AD role use below script:

 

connect-azuread
#get all groups
Get-AzureADDirectoryRole | select displayname

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}

Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser | select displayname,user
principalname | Export-Csv "C:\Users\lap-top\Downloads\1.csv" -NoType